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Abstract 

In this paper we pose and begin to explore a deductive problem more general 
than that of finding a proof that a given goal formula logically follows from a 
given set of hypotheses- The problem is most simply stated in the propositional 
calculus: given a goal A and hypothesis H we wish to find a formula P, called a 
precondition, such that A logically follows from P A H. A precondition pro- 
vides any additional conditions under which A can be shown to follow from H. A 
slightly more complex definition of preconditions in a first-order theory is 
given and used throi::ghout the paper. A formal system based on natural deduction 
is presented in which preconditions can be derived. A number of examples are 
then given which show how derived preconditions are used in a program synthesis 
method we are developing. These uses include theorem proving, formula simplifi- 
cation, simple code generation, the completion of partial specifications for a 
subalgorithm, and other tasks of a deductive nature. 

0. Introduction 



Traditionally, the subject of automatic theorem proving has dealt with the 
problem of finding a proof that a given goal formula A logically follows from a 
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given hypothesis H. In this paper we pose a more general deductive problem and 
suggest that systems for solving this more general problem can extend the util- 
ity of deductive mechanisms, and provide a framework for overcoming some prob- 
lematic features of current theorem provers. The problem is most simply stated 
in the propositional calculus: given a goal A and hypothesis H we wish to find a 
formula P, called a precondition, such that A logically follows from P A 
other words a precondition provides any additional conditions under which A can 
be shown to follow from H. 

A formal system in which preconditions can be derived is described in sec- 
tion 2. Each rule in this natural deduction-like system has a reduction com- 
ponent which reduces a goal Aq to subgoals A^ ,A 2 , • • • ,A|^ and a composition com- 
ponent which composes preconditions of subgpals A^ ,A 2 , • • • ,Aj^ to form a precondi- 
tion of Aq. 

After presenting basic terminology in section 1 a formal system for deriv- 
ing preconditions is given in section 2. A number of examples are presented in 
section 3 which show how derived preconditions are used in a program synthesis 
method we are developing [9, 10]. These uses include theorem proving, formula 
simplification, simple code generation, the completion of partial specifications 
for a subalgorithm, and other tasks of a deductive nature. 

1 . Terminology 



The examples given below are drawn from a program synthesis system which 
works within a raany-sorted first-order theory TT. The theory includes data 
t 3 rpes such as H (natural numbers), LIST(H) (linear lists of natural numbers), 
and BAGS(]N) (multisets of natural nmbers). We will use the (possibly sub- 
scripted) symbols i,j,k for variables ranging over II, x,y,z for variables over 
LIST(II), and B as a variable over BAGS( IN ) . The theory also includes a number 
of functions and predicates defined on these types and axiomatic specifications 
of their interactions. The notions of term, atomic formula, literal, and 
(well-formed) formula have their usiial definitions [5]. Let T and P be proposi- 
tional constants which have the values true and false respectively in all models 
of TT. ¥e make use of a distinguished subset of the theorems of TT called known 
theorems which are assumed to be immediately available to the deductive system. 
The set of known theorems may change over time but initially includes all axioms 
of TT. All of the known theorems required by the examples are listed in the 
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appendix . 



Let Q 2 X 2 ...Qj^x^ G- be a closed foraula not necessarily in prenex form 

where is either 3 or V for i=1,2,...,n. A XiX 9 « • -x^ -precondition of 
Q^x^ *22^2 G is a quantifier-free formula P dependent only on variables 

x-| ,X 2 > . . . ,x^ such that 

QlXiQ2X2-..QnX^[ P=^G ] 

is valid in TT. P is also a weakest x-| X 2 - ♦ .x^ -precondition if 

QiXiQ2X2...Qj^x^[ P=G ] 

is valid in TT. 

Two well-known special cases of these concepts can be given. First, if T 
can be derived as a x^X 2 * • "X^-precondition of a goal Q^x^ ®2^2****^n^ ^ then the 
derivation is in fact a proof of the validity of QiX-| Q2^2’"*^n^ ^ since 

QlXiQ2X2...QnX„ [T=^G] s Q^x^Q2X2- • -Q^x^ G 

Therefore any system for deriving preconditions can also be used for theorem 
proving. Second, Dijkstra's concept [3] of a "weakest pre-condition" WP(S,R) of 
a program S with respect to post-condition R may be defined as a weakest q- 
precondition of 

Vq3k3p[ TERMrNATE(S,q,k,p) AR(p)) ] 

where TERMINATE(S,q,k,p) holds iff program S activated in initial state q ter- 
minates within k steps (assuming a suitable definition of a program step) in a 
final state p. I.e., 

Vq[ WP(S,R)[q] = 3k 3p TERMINATE(S,q,k,p) A R(p) ] 

Our program synthesis method is not directly related to Dijkstra's approach to 
algorithm design [3]* 

In general a given goal may have many preconditions. Characteristics of a 
useful precondition seem to depend on the application domain. In program syn- 
thesis we generally want preconditions which are a) easily computable, b) in as 
simple a form as possible, and c) as weak as possible. (Criterion (c) prevents 
the boolean constant P from being an acceptable precondition for all goals.) 
Clearly there is a tradeoff between these criteria. ¥e are currently investi- 
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gating the possibility of measuring each criterion by a separate heuristic func- 
tion, then combining the results to form a net complexity measure on precondi- 
tions. For reasons to be discussed later we assume that such a complexity meas- 
ure ranges over a well-founded set (such as IN under the usual < relation) and 
that we seek to minimize complexity over all preconditions . In this paper how- 
ever we are mostly concerned with setting up a formal system within which 
preconditions can be derived, and showing how to solve some program synthesis 
problems using it. 



2. A Forma.! System for Deriving Preconditions 
2.j_ Goal Preparation 

In presenting a set of rules which allow us to derive preconditions we use 
the notation ^ to denote the statement that well-formed formula A logically fol- 
lows from the set of hypotheses H in IT, i .e. , h^ A ^2 A • • • A ^ A is 
valid in TT where H = {h.| ,h 2 , . . .h^} . 

A goal statement ^ and the known theorems of TT are prepared as follows. 
First, all occurences of equivalence (=) and implication ( ) signs are elim- 

inated and negation signs are moved in as far as possible. H and the known 
theorems of TT are then skolemized in the usual v;ay [5], i.e., existentially 
quantified variables are replaced by skolem functions of the universally quanti- 
fied variables on which they depend. Quantifiers are then dropped with the 
understanding that all remaining variables are universally quantified. The goal 
A is skolemized in a dual manner with universally quantified variables replaced 
by skolem functions of the existential variables on which they depend. All 
quantifiers are then dropped with the understanding that all variables in A 
which remain are existentially quantified. The preparation of A is equivalent 
(via duality of goals and assertions) to preparing ~A as an hypothesis then tak- 
ing the negation of the result as our prepared goal. 

2.2 Reduction/ Composition Rules 

Rules which reduce a goal statement to two subgoal statements are expressed 
in the following form: 
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<Pq> Aq 0q 
% 



<P^ > 9^ <? 2 > A 2 02 

Hi H2 

where Aq,A-| , and A2 are goal formulas, Hq, H-j , and H2 are sets of hypotheses, 
9 q, 9^ , and 02 are substitutions, Pq, P^ , and P2 are formulas (the derived 

preconditions), and @ is either V or A* A nfle of this form asserts that if 
P^ is a (weakest) precondition of -^i^i i=1 ,2 then Pq is a (weak- 

est) precondition of Hq9q Aq9q. Pq generally is P^ 9 P2. Substitution 9 q 
is formed from substitutions 9-j and 02 in ways that depend on ©. 

If ® is A then 0 q is the unifying composition of 9^ and ©2, denoted uc(0^ , 
t?]* " ^0(0 ^ , 02) then 0 q is a most general substitution such that for 

any literal L 

(L0AeQ = (L0 q)0i = L0q = (L02)0q = (LeQ)02. 
uc(0^ ,© 2 ) may be computed by finding the most general unifier of 

(tl , • • • ’■*=n»'*^n+1 ’ ■ ■ *''*^n+m) 

(v^ , . . . , • • • ,Vj^^) 

where 

= {t^/v^ » 

®2 = i "'^n+1 /'^n+1 ’ • * * » "''n-Hn/'^n+m^ * 

If these expressions cannot be unified then the result is a special atom NIL. 
Por example, 

uc( {a/z( , {b/z| ) = NIL 
uc((Ma/z!) = la/zl 
uc({f(x)/z! , {f(a)/z}) = if(a)/z,a/x! 

If 9 is V then 9 q is formed by the disjunctive composition of ?-] , 9^ , ?2 

and 09 , which is denoted dc(P^ ,9^ ,P2,©2^ * disjunctive composition may be 

computed as follows assimiing that the derived preconditions and P 2 contain no 

— p— 




variables. Let {3^,82, — ,S^} be the set of skolem function names in P-| which 
come from the top level goal in the current deduction. For example if the top 
level goal is Q(u,f^(u)) R(x,f2(x) ,f^) and P-| is W(f^ (f^) ,g2(f^) ) then 

lf.|,f^i is the set of skolem function names in P.] which comes from the top level 
goal. Let P-| (.y-] , . . . ,y;^) be the formula resulting from the replacement of each 
occurence of skolem function 3^ by variable y^ in P.| . In the above example 
P-| (y-| ,yp) denotes W(y^ ,g2(y2) ) • Function dc is defined as follows. 

dc(P^ ,P2,92) = if e^=NIL and 92=NIL then NIL 
else if P^=T or 92=NIL then 9^ 
else if P2=T or 9.|=NIL then 92 
else if 9^ = {) then 92 

else }h^(3^ ,82, . . . ,S|jj)/x 1 t/xS 9 ^ or t/x£ 9 ol 

where 

*‘*>ym^ = if P '1 (y-i , • • • ,y„i) then x9^ else x92. 

Loosely speaking, the disjunctive composition of P^,9.|,P2, and 92 behaves like 
9^ when P-| holds and behaves like 62 otherwise. 3ome examples: 

dc(aQ>3, (f^(aQ)/xj, T, (aQ/xi) = {sq/x! 

dc(fi>f2(fi), fl<f2(f3), if2(fi )/z,fyx!) 

where 

’^2*^3^ = if y-i>y2 ‘•^hen else ^2 
hx(yi >y2>y3) = if yi>y2 then y2 else y^ 

A complete deduction involving a disjunctive composition is given in section 

2.5. 



Rules which reduce a goal statement to one subgoal are notated 



<Pq> Aq 9q 

% 



<Pl > A-] 9-| 

H1 






Occasionally , as in the application of known theorems which are implica- 
tions, the relation between goal and subgoals is not one of equivalence but 
implication. Rules of this kind are notated 

<Pq> Aq 9q 

A 

<P^ > 9^ 

which asserts that if P.| is a precondition of H^9^ A-j0^ then Pq is a precon- 
dition of H^Qq Aq 9. For rules of this kind we cannot assert that Pq is a 

weakest precondition of HqGq Aq9q even if P^ is known to be a vreakest 
precondition of 9^ =» * 

The following rules are for the most part extensions of t 3 rpical goal reduc- 
tion rules [2,5,8]. 



R1 . Reduction of Conjunctive Goals 



<P^ A P2> A A B uc(9^,92) 

H 




<P^ > A 9^ <P2> B 92 

H H 



R2. Reduction of Disjunctive Goals 



<A V P2> A V B dc(A ,9^ ,P2,92) 

H 




<P-| > A 9^ <P2> B 02 

H H 
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R5 . Reduction of Conjunctive Hypotheses 



,<P>A A, 9 
A Ci UH 




<Pi V Po> A dc(Pi ,9^ ,P2,©2) 
(B A CiUH 




<P. > A 9. <Pp> A &2 

{E} UH iCiUH 



R4. Reduction of Disjunctive Hypotheses 



<P. A P2> A uc(9^ , 92 ) 
(B V C[ UH 




<P^ > A 9^ <Po> A 02 
{B} UH IcIUH 



R5. Application of an Equivalence Formula 



<P> A 99^ 
H 



<P> B9 9^ 
H 



CsB is a known theorem of TT 
or an hypothesis in H and 9 unifies {A,Bj 



R6. Application of an Implicational Formula 



<P> A 901 
H 






<P> D 9. 
H9 



if C=^B is a known theorem of TT or hypothesis in H, 

and D is C0 where 9 unifies {A,B| 
or D is ~B0 where 9 unifies iA,~Ct or AA,C( 



R7. Forward Inference from an Hypothesis 



<P> , A e 
{Bl UH 



if D=^E or D=E is a known 
or hypothesis in H and 9^ 

,<P> A e 
{B,Ee(l UH 



theorem of TT 
unifies {B,D} 



R8. Goal /hypothesis Duality rules 

R8a R8b 



<P> ~B V A e 
H 



<P> , A 
{Bl UH 



e 



<p> , A e <p> ~B V A e 

{Bj UH H 



R9- Substitution of Equal Terms 



<P> A(r) e 
H 

<p> A(s) e 
H 



if r=s is an hypothesis in H 
or a known theorem of TT 



R10. Conditional Equality Substitution 



<P^AB2> uc(e^,02) 

H 




<P^> A(s2)6o ©1 <P2> 

HSq HBo 



if B s^ = S 2 is an hypothesis 
a known theorem and 9q unifies {r,s^ } 



e 



2 



2.3 Primitive Goals 

There are several types of primitive goal statements in our system. Each 
are described by notations of the form ^ ® which assert that P is a 

ll 



precondition of H 6 A© if the associated condition holds. 

PI . <T> A 0 0 unifies {A,Bi where B is a known theorem of TT or BEH 

P 2 ^ H ® unifies {A,~B) or {~A,B|, where B is a known theorem of 

TT 



In addition to P1 and P 2 any goal with a null hypothesis may be taken as primi- 
tive; 



. <A ' > A { } 



,ni. 



if A has the form V A,- and A' has the form V A- where 

i=1 j 

^^i-5j=1,m ^ ^^iU=1,k ^i. <iepends 

on the variables ,X2» . • . only when we seek a 
x^ ,X2> . . . ,Xj^-precondition. 



Primitive goals of type P1 and P2 yield weakest preconditions but in general 
primitive goals of type P3 do not. Note that any goal statement can be con- 
verted to an equivalent goal with a null h 5 rpothesis by repeated applications of 
rule R 8 b. 



2.4 The Deduction Process 

The derivation of a precondition of goal statement g can be described by a 
two stage process. In the first phase rules are repeatedly applied to goals 
reducing them to subgoals and generating a goal tree. Rules are not applied to 
a goal satisfying the primitive goal tests P1 and P2 or if the goal has been 
specially converted to satisfy P3. If for some reason, such as limits on compu- 
tational resource, it is desired to terminate the reduction process before all 
subgoals have been reduced to primitive goals of type P1 or P2, then any 
subgoals waiting for rule application can be converted to a primitive goal of 
type P3. The result of this reduction process is a goal tree with primitive 
goals as leaf nodes. 

The second phase involves the bottom-up composition of preconditions and 
substitutions. Initially each primitive goal yields a precondition and a sub- 
stitution. Subsequently whenever a precondition or substitution has been found 
for each subgoal of a goal g then a precondition and substitution is composed 
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for g according to the reduction/composition rule employed. Each newly composed 
precondition is then run through a simplification process to he described later. 

Usually several rules can be applied to a given goal and each rule will 
generate a precondition. In an computer implementation of this system we would 
make use of a complexity measuring function and select that precondition of 
least complexity among the alternatives. 

2.5 ^ Example 

As an example of the use of this system suppose that we wish to show that 

VioVii 3i2[(io<ii A 12 = 0 ) V A 12 = 1 )] (0 

is valid in TT where iQ,i-|,i 2 are variables over II (natural ntmibers). Vfe do 
so by trying to derive T as a iQi-| i 2 ~precondition of (1). The goal after 
prepsiration is: 

(rQ<r^ A i2=0) V A I 2 =1 ) 

where rQ and r.| are skolem constants of type M . The derivation is depicted 
below in figure 1 . Initially ( 1 ) is reduced via rule R2 to two subgoals then 
each of these subgoals are reduced via rule R1 to two other subgoals. Subgoals 
^ 2=0 and i 2 = 1 match axiom i= i (theorem nO in the Appendix) with substitu- 
tion {0/i2! and {l/i 2 } respectively and thus are primitive goals of type P1 . 
Suppose that goals rQ<r^ and rQ>r-| are taken as primitive goals of type P5- The 
composition phase now begins. Subgoals rQ<r^ A i2~® A yield 

preconditions (T A ^ A ) respectively. A simplification pro- 

cess reduces these preconditions to rQ<r^ and rQ>r-| respectively. The composed 
substitutions for the immediate subgoals of (1) are just the unifying composi- 
tions uc( |0/i2l , { !) = {0/i2K and uc( |1 /i 2 ) , { }) = {l/i 2 i respectively. The 
derived precondition of goal (1) is (ro<r^ V rQ>r^ ) which simplifies (via 
theorem n4) to T. The composed substitution is the disjunctive composition 
^^i 2 ^’' 0 ’’'AA 2 l where 

^i 2 ^A’J 2 ) = 0 else 1. 

The derivation shows that T is a precondition of 



- 11 - 



(rQ<r-| A V (ro>ri A ^ 

i.e., that our original goal is valid. Furthermore we have obtained a substitu- 
tion term for the one existentially quantified variable in (1). After requanti- 
fying we obtain the valid formula: 

VioVii [(io<ii A fi2(io’^1 V A )='')] • 

In this example and all that follow we annotate the arcs with the name of 
the rule and theorem used and note the primitive goal type of each leaf node. 
Also in this example we write the simplified form of the composed precondition P 
immediately under P. Hereafter in examples we will simply omit the composed 
precondition in favor of its simplified form. Also we omit substitutions when 
they are inessential to an understanding of a derivation. 

2.6 Formula Simplification 

Any deductive mechanism needs a means to simplify formulas which are gen- 
erated during the deductive process. Simplification can be usefully viewed as 
the task of finding a weakest precondition (in all variables) of formula A. The 
search for a simple weakest precondition is kept short by using only a few of 
the known theorems of TT. The strategy followed in the examples is to repeat 



<rQ<r^ V TQ>rA (rQ<r^ A i2=0) V (rQ>A A i2=1 ) 

<T> n 





<(rQ>rA A T> (rQ>r^ A i2=1 ) hAai 

<ro>ri > { } 




Figure 1 . 
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the following sequence of rule applications until the goal has been reduced to 
literals: 

a) simplify the goal as much as possible using known equivalence theorems of TT, 

b) multiply subexpressions out using p9 and p10 (DeMorgan's Laws), 

c) break the result of (b) down to subexpressions using R1 or R2. 

The multiplication step allows us to mix preconditions which were returned from 
different branches of the goal tree. 

A precondition generating mechanism used for simplification purposes must 
be carefully controlled in order to avoid infinite regress. One way around this 
problem is to prohibit simplification of preconditions generated during the sim- 
plification process. Instead we check whether the final derived precondition P 
is simpler than the initial goal fonnula A. If not then A is returned otherwise 
we attempt to simplify ?. If our complexity meas^uring function ranges over a 
well-founded set then this simplification process will terminate. 

Suppose that we need to simplify the expression 

(i>j V i=0) A (i<j V 0=0) (2) 

where i and j vary over IN . The derivation in figure 2a yields 

(i>0 A j=0) V i=0 

as a weakest precondition (i.e. equivalent form) of (2). The derivation in fig- 
ure 2b jrields 

(i=0 V 0=0) (3) 

as a weakest precondition. The resixLt is that (2) has been simplified to (3)* 

3- The Use of Derived Preconditions in Program Synthesis 

In this section we show how derived preconditions can play a central role 
in the design of algorithms [9»10]. Many of the key steps in the design process 
involve finding a precondition of a formula constructed by instantiation of a 
formula schema with functions, predicates and types from the specification and 
the partially designed algorithm. The resulting derived precondition is used to 
either strengthen or complete some aspect of the target algorithm. 

Initially a user supplies a complete formal specification of a problem 
which he desires to solve. The specification consists of a naming of the input 
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<(i>0 A j=0) V i=0> (i>i V i=0) A (i<j V j=0) 

2^R5+p9,R2 



<i>0 A j=0> i>j A (i<j V 3=0) <i=0> i=0 A (i<3 V 3=0) 



-B5+p9,R2 



<F> i>j A i<3 <i>o A 3 = 0 > i >3 A 3=0 
P2+n5 

‘R54«1 



R5^1 

<i=0> i=0 A (0<3 V 3=0) 
m 



<i>0 A 3=0> i>0 A 3=0 



<i=0> i=0 V >0 

n-r PI 



<i>0> i>0 

P3 



<3=0> 3=0 

P3 



Figure 2a. First pass at simplifying goal formula (2). 



<i=0 V 3=0> i=0 V (i>0 A ^0) 



<T> i=0 V i>0 

P1+n2 



R5+p10,R1 



<i=0 V 3=0> i=0 V 3=0 

R2 




Figure 2b. Second pass: simplifying the result of figure 2a. 

and output data types, and two formulas called the input and output conditions. 
The types, functions and predicates involved in the specification must be part 
of the language of TT. For example, the problem of sorting a list of natural 
numbers may be specified as follows: 

QSORT(x) = z such that ORD(z) A BAG(x)=BAG(z) 
where QSORT: LIST (IN) ^ LIST(lI). 
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Here the input and output types are LIST(]N) (lists of natural numbers). There 
is no input condition (except the implicit condition of the input type) and the 
output condition is ORD(z) /\ BAG(x)=BAG(z) where ORD(z) holds iff the list z is 
in nondecreasing order, and EAG(x)=BAG(z) holds iff the multiset (bag) of ele- 
ments in X and z is the same. 

We will construct a divide and conquer algorithm (quicksort) of the form: 



QSORT(x) = if 

PRIM(x) ^ QSORT := f(x) Q 
~PRIM(x) ^ (xpX 2 ) := DECOMPOSE(x); 

(z^,Z2) := (QS0RT(xi ),QS0 RT(x2)); 
QSORT := C0MP0SE(z^ ,Z 2 ) 
fi 



where PRIM is a predicate which determines when to terminate recursion, f is a 
function which provides a solution for primitive inputs, DECOMPOSE and COMPOSE 
are decomposition and composition functions respectively. In this program 
schema PRIM, f , DECOMPOSE, and COMPOSE are uninterpreted functions whose value 
we have to determine. The if-fi construct is Dijkstra's nondeterministic condi- 
tional statement [3]. Associated ’vith the algorithm schema is a correctness 
schema which will be introduced later. 

The first step in the synthesis process involves the representation of the 
users problem by a problem reduction model [10]. This format extends the 
specification of a problem and restricts the type of algorithms which can be 
used to solve the problem to one of a small mmber of algorithms which work by 
problem reduction. For present purposes the relevant parts of the representa- 
tion for QSORT are: 

a) a relation IDR, called the input decomposition relation, which constrains the 
way in which input Xq can be decomposed into objects x^ and X 2 and serves as a 
partial output condition on subalgorithm DECOMPOSE in the divide and conquer 
schema: 

IDR(xq,Xi ,X2) = BAG(xq)=BAG(x-| ) UBAG(x2) 
where 3^ UB 2 denotes the bag-union of bags B^ and B 2 - 

b) a relation OCR, called the output composition relation, which constrains the 
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Way in which output object Zq can be formed from objects and Z2 and serves as 
a pairtial output condition on the subalgorithm COMPOSE: 

0CR(zq,z^ ,Z 2) s BAG(zq)=BAG(z^ ) UBAG(z2) 

c) a well-founded ordering relation ^ on LIST(]N) is used to ensure that the 
target program terminates on all inputs: 

Xq>-x^ s IXJ(xq)>LG(xi ) 

where the function LG(x) returns the length of the list x. 



3.1 Checking and Enforcing Compatibility in the Representation 

The representation of the user's problem by a problem reduction model is 
constructed by heuristic means. A formula expressing the mutual compatibility 
of various parts of the model is constructed and an attempt is made to verify 
it. If the derived precondition P is T then the parts are compatible otherwise 
we use P to modify the model to ensure compatibility. For example we want the 
input decomposition relation IDR to be compatible with the well-founded ordering 
^ , in the sense that 

VxqVx^ \/x2 [IBR(xq,x^ ,X2) Xq>-x^ a Xq>-X2] 

i.e., if Xq can decompose into lists x^ and X2 then x^ and X2 must both be 
smaller than Xq under the y relation. After substituting in the form of IDR 
and the well-founded ordering for the QSORT example, and preparing the formula 
we obtain the goal: 

BAG(aQ)=BAG(a'j ) UBAG(a2) ^ LG(aQ))'LG(a'| ) A IG(aQ))>LG(a2) 

’Ahere aQ,a^ , and are skolem constants for the (universally quantified) 
variables Xq, x^ , X 2 . The derivation of a XQX^Xg-precondition of (4) is given 
in figure 3* The resulting precondition is 

BAG(xq)=BAG(xA UBAG(x 2) LG(xA>0 A LG(x2)>0 

which means that IDR is not strong enough to imply the consequent of the origi- 
nal goal. Prom the definition of preconditions it follows that the conjunction 
of IDR and the derived precondition will in fact imply the consequent of (4) • 
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<Q> BAG(xo)=BAG(x^ ) UBAG( x 2) LG(xo)>LG(xi ) A I^(xo)>LG(x2) 

R8a 

<Q> IG(xq)>IX>(x^ ) A LG(xq)>LG(x2) 

[BAG(xo)=BAG(x^ ) UBAGU2) ! 




<Ql> LG(xo)>LG(xi ) 
(BAG(xo)=BAG(x^ ) UBAG(x2) ! 



R7+1B2 



<Q^> LG(xq)>LG(x^ ) 

H 

R9 

<Q^ > LG(xi )+LG( x2)>LG(x^ ) 
H 



R5+n6 



<Q^> LG(x2)>0 
H 



R8b 



<Qi> Qi 

n 

P3 



<Q2> LG(xo)>LG(x2) 
{BAG(xo)=BAG(x^ ) UBAG(x2) ! 



R7+lb2 



<0.2> LG(xq)>LG(x2) 

H 

R9 

<Q2> LG(xi )+LG(x2)>LG(x2) 
H 

R5+n6 

<Q2> )>0 

H 

R 8 b 

<Q2> Q 2 
1! 

?3 



is BAG(xo)=BAG(x^ ) UBAG( x 2) LG(x2)>0 
Q2 is BAG(xq)=BAG(x^ ) UBAG(x^ ) =^LG(x2)>0 
Q is BAG(xo)=EAG(xA UBAG(x2)=^ (LG(x2)>0 A LG(x^ )>0) 

H = {BAG(xq)=BAG(x^ ) UBAG(x 2 ) ,LG(xq)=LG(x^ )+LG(x 2) ! 

Figure 5- Checking Compatibility of IDR and >• 
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Thus we can form a new strengthened input decomposition relation IDR* where 

IDR'(xo,x^ ,X2) =IDR(xo,x^ ,X2) A[BAG(xo)=BAG(x^ ) UBAG(x2) IXJ(xi )>0 ABG(x2)>0] 

The derivation in figure 3 quarantees that IDR' is compatible with the well- 
founded ordering. After simplifying IDR' we have 

IDR’(xo,Xi ,X2) = BAG(xo)=BAG(xt ) UBAG(x 2) A Al^(x2)>0. 



3.2 Reducing a Quantified Predicate to a Target Language Expression 

The predicate PRIM(x) in the divide and conquer schema is intended to dis- 
tinguish nondecomposable from decomposable inputs. In the QSORT example it is 
sufficient for -PRIM(xq) to be a XQ-precondition of 

\/xq3x^ 3x2 IDR'(xq,x^ ,X2) 

i.e. a list is decomposable only if there are lists into which it can decompose. 
The deduction in figure 4 yields the precondition LG(aQ)>1 and after some simple 
manipulations LG(x)<_1 and IG(x)>1 can be substituted for PRIM(x) and ~PRIM(x) 
respectively in QSORT. One additional mechanism is needed to correctly handle 
this example. The reduction/composition rule R1 treats each subgoal indepen- 
dently and combines the returned substitutions into their unifying composition. 
This treatment does not work well when the subgoals have common variables. Most 
theorem proving systems allow substitutions in one subgoal to be applied to the 
other (since different substitutions may be found independently for the same 
variable) and we follow this practice here. 

3 .3 Simple Code Generation through Substitution of a Term for an Output Vari- 
able. 



¥ith the PRIM predicate in hand the synthesis process can proceed to the 
task of finding a target language expression to handle primitive inputs in the 
quicksort algorithm. A correctness formula for the primitive branch of the 
quicksort algorithm is: 

Vx 3 z[LG(x)_<1 =» ORD(z) A PERM(x,z)]. 

The deduction in figure 5 shows that T is a xz-precondition of this formula thus 
proving its validity in TT. The substitution gives us a value for z for any x, 



<If}{aQ)>^> BAG(aQ)=BAG(x^ ) UBAG(x2) A LG(x-] )>0 A LG(x2)>0 




<LG(aQ)> 1 > EAG(aQ)=BAG(cons( Ji )) UBAG(cons( J 2 »W 2 ) ) 

— — - R101b9 




<LG(3q)> 1> BAG(aQ) = | } UBAG(w^ ) Ufj2! UBAG(w2) 



R9+lb5, 

Ib7,lb8 



<T> cons( j-| ,wA=cons(ij ,yA <T> cons( j 2 >W 2 )=cons(i 2 ,y 2 ) 
P1+lb1,nO P1+lb1,nO 



<LG(aQ)>1> BAG(aQ) = ,^' 2 ! U BAG ( append (w^ ,^ 2 )) 

R6+lh9 

<LG(aQ)>1> aQ = cons(j^, cons(j 2 > append ( w-| ,W 2 ) ) ) 

R5+lb10 

<LG(aQ)>1> LG(aQ)>1 
P3 

where 6^ = {cons(j-j ,w^ )/x-| } and © 2 = lcons( j 2 »W 2 )/x 2 ! 

Figure 4- Generating a target language expression for -PRIM 
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<T> LG(a)<1 =» ORD(z) A BAG(a)=BAG(z) {a/z| 



R8a 



<T> ORD(z) A BAG(a)=BAG(z) {a/z{ 
!LG(a)<l| 



<T> ORD(z) {a/z} 
lLG(a)<1 I 




<T> BAG(a)=BAG(z) 
!LG(a)<1 1 
PI 



|a/z| 



^R6+lb3 



<T> LG(z)<1 {a/zl 

{LG(a)<1 1 
PI 



Figure 5- Finding a target language term 



namely x itself. Thus the primitive branch of our quicksort is completed since 
X is the desired output value. The target algorithm now has the form 

QSORT(x) = if 

LG(x)<1 QSORT ;= x Q 
LG(x)>1 -» . . . 



fi 



3.4 Completion of the Partial Specification of a Subalgorithm 

The next step in the synthesis provides ovir final example and completes the 
construction of the top level algorithm for QSORT. The nonprimitive branch of 
QSORT has two uninterpreted functions COMPOSE and DECOMPOSE which have partial 
specifications based on OCR and IDR respectively. We look for a known target 
language function satisfying either partial specification and find that the 
fmction APPEND, which appends one list onto the end of another, satisfies the 
(partial) specification for COMPOSE. The algorithm schema then becomes; 
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QSORT(x) = if 

I/}(x)<1 QSORT := X 0 

LG(x)>1 (x^,X2) := DECOMPOSE(x); 

(z^,Z2) := (QS0 RT(x^),QS0RT(x2)); 

QSORT := APPEtro(z^ ,Z2) 
fi 

where subalgorithm DECOMPOSE remains to be synthesized and has partial specifi- 
cation 

DECOMPOSE(x) = (x^,X2) such that [LG(x)>1 =» (BAG(x)=BAG(x^ ) UBAG(x 2) A 
IG(xi )>0 A LG(x 2)>0)] 
where DECOMPOSE: LIST(]N) LIST(IM)2. 

The concern now is to find any additional output conditions needed by DECOMPOSE 
in order to make QSORT satisfy its formal specifications. A sufficient condi- 
tion for the total correctness of QSORT [10] is: 

VxqVx^ Vx2\/zoVzi Vz2 [[ BAG(xo) = BAG(xA ^ BAG(x2) A 

LG(xA>0 A LG(x2)>0 a 

BAG(x^ ) = BAG(z^ ) A ORD(z^ ) A 

BAG(x2) = BAG(z2) a 0RD(z2) A 

Zq = APPEND ( z^ ,Z2)] (BAG(xq) = BAG(zq) A ORD(zq))] 

( 6 ) 

If (6) is not valid it is because the specification of DECOMPOSE is too weak. 
We seek therefore a XqX.| X 2-precondition of (6) and add it to the output specifi- 
cation of DECOMPOSE. Preparing (6) results in the substitution of skolem con- 
stants SqAi >B 2 ,cq,c.^ ,C 2 for Xq,x-j ,X 2 ,Zq,z^ ,Z 2 respectively. Let H denote the 
set of conjuncts in the antecedent of the prepared correctness formula and A the 
consequent. An expression of the form P(ALL(B)) will be used to abbreviate 
\/x€B P(x) where B is a bag variable. The derivations given in figures 6a and 
6b yield 

ALL(BAG(x^ ))<AIL(BAG( x 2) ) . 

Strengthening DECOMPOSE with this precondition we obtain the complete specifica- 
tion 
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<T> BAG(aQ)=BAG(co) 

icQ=APPEND(c^ ,02)! UH 

R9 

<T> BAG(aQ)=BAG(APPEND(c^ ,02)) 

H 

R9+lb5 

<T> BAG(aQ)=BAG(c^ ) UBAG(c2) 
{BAG(b^ )=BAG(c^ ) ,BAG(b2)=BAG(c2) 1 UH 

R9 

<T> BAG(aQ)=BAG(b^ ) UBAG(b2) 
(BAG(aQ)=BAG(b^ ) UBAG(b2)l 
P1 



Figure 6a. Nonprimitive branch of QSORT 



<P> ORD(cq) 
ico=APPErro(ci ,02)} UH 



R9 

<P> ORD ( APPEND (c^ ,02)) 
H 



<T> 0RD(c^ ) 
iORD(ci)i UH 
P1 



<T> 0RD(c2) 

}0RD(c2)} UH 
P1 



R5+lb4,R1 




<P> AU;(BAG(ci ))<AIP,(BAG(c2)) 
{BAG(c^ )=BAG(b^ ) , BAG(c2)=BAG(b2) } UH 




<P> ALL(BAG(b^ ) )<ALL(BAG(b2) ) 
H 




<P> ~H V P 
P3 



where P is ALL(BAG(b^ ))<ALL(BAG(b2)) 

Figure 6b. Completing the specification of DECOMPOSE 
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DECOMPOSE(x) = (x-| ,^ 2 ) such that [LG(x)>1 => (BAG(x)=BAG(x^ ) U BAG(x2) A 

n}(xi)>o A lg(x2)>o a ALL(BAG(xA)1ALL(BAG(x2))] 

where DECOMPOSE; LIST(M) ^ LIST(1T)2. 

The synthesis process is then recursively invoked to design an algorithm meeting 
these specifications. 

The synthesis system from which we've drawn the examples is an attempt to 
obtain increased synthesis performance by 1 ) dividing the synthesis task into a 
number of relatively small deductive tasks, and 2) using large amounts of 
knowledge about programming. The system makes use of two types of programming 
knowledge: 1 ) control strategy knowledge encoded by program schemas (such as the 
schema for divide and conquer vised above) and their associated correctness sche- 
mas, and 2 ) data structure knowledge represented in part by the known theorems 
of TT. Other recent deductive approaches to program synthesis [1 ,4,6] also make 
use of data structure knowledge, but have different approaches to representing 
control knowledge and tend to construct programs on the basis of a single large 
deductive task. 

4 . Conclusion 



In this paper we have defined a new deductive problem, that of finding a 
precondition of a given formula, and presented a formal system within which 
preconditions can be derived. We have tried to convey a sense of the flexibil- 
ity and usefulness of such a system through a number of examples drawn from the 
domain of program synthesis. We are currently implementing a system based on 
the one described here and hope to report on such issues as formula complexity 
measures and control, which we have largely ignored here, in a future paper. 



APPENDIX 



Listed below are the known theorems used in the examples of this paper. It is 
important that these assertions are expressed in their strongest form (i.e., as 
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equivalences rather than implications) whenever possible, so that it can be 
determined whether a wealcest precondition has been derived or not. Often a 
theorem is used in one direction only although it may be stated as an 
equivalence. 

Propositional theorems 

p1 . A V ~A 

p2. ~(A A ~A) 

p3. T A A = A 

p4. T V A = T 

p5. P A A = P 

p6. P V A s A 

p7. ~(A A B) = ~A V -B 

p8. ~(A V B) = ~A A ~B 

p9. A A (B V C) = (A A B) V (A A C) 

plO. A V (B A C) ^ (A V B) A (A V C) 

p11 . (A B) = (~ A V B) 

p12. A V (A A B) = A 

p12. A A (A V B) = A 

Equality theorems 

e1 . P(x) A x=y = P(y) A x=y where P(x) is a formula depending on term x. 



Natural number theorems 

Let i,j,k denote variables of type U. 

nO. i=i 
n1 . i>0 
n2. i=0 V i>0 

Kj V i>J 
n4. i<j V i>j 
n5. ~(i<j A i>j) 

n6. i+j>i = j>0 

n?. ~(i>k) = Kk 

n8. ~(i<k) = i>_k 

n9. i>k-| A j>k2 i+j>k^+k2+1 
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List and Bag theorems 

Let Wq,w^,W 2 vary over LIST(]U), and let vary over BAGS (II). 

Ibl . Wq = Wq 

lb2. BAG(wq)=BAG(w^ ) U BAG(w2) ^ LG(wq)=LG(w^ )+LG(w2) 

lb3. IG(wq)0 ORD(wq) 

lb4. [ORD(w^) A 0RD(w2) A ALL(BAG(w^ ))<ALL(BAG(w2))] s ORD ( APPEND ( ,W2) ) 

lb5. BAG( APPEND (wq,wA) = BAG(wq) U BAG(w-, ) 
lb6 . B^ = B-] 
lb7. lA}U{i2l= 

IbS. B^ UB2=B2UB^ 

lb9- w^=cons(iQ, cons(i^ , . . .cons(i^,W 2 ) . . . )) ==^ BAG(w^ ) = 1 1 q, ip . . . IJBAG(w 2 ) 
IblO. Wq= cons(iQ,cons(ip . . .cons(ij^,wA • . . )) = LG(wQ)>n 
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